Media reports of high-profile nation-state hacks have many executives looking worriedly outward in anticipation of the next attack, but one security expert warns that many security practitioners are so focused outwards that they are forgetting to implement even basic protections that pose a more immediate threat.

Many companies “are not even getting the basic blocking and tackling of cyber hygiene right,” warned Tenable country manager Bede Hackney, who took over the local reins at the fast-growing security firm several months ago and has seen some consistent themes emerge during his dealings with customers so far.

Areas such as vulnerability management were often being managed based on best-guess efforts that often proved inadequate. One company, he said, believed it had inventoried its exposure to the Microsoft EternalBlue vulnerability that enabled WannaCry and its path of destruction – but when a vulnerability-scanning tool was run it identified 1000 servers that weren’t even on the organisation’s patching list.

“In the Australian enterprise and mid markets, the majority of organisations don’t even have a complete view of their assets, let alone having a complete view of the vulnerabilities in their asset pools,” Hackney told CSO Australia.

Vulnerability management is a core element of the protections espoused by the Australian Signals Directorate’s Top 4 and Essential Eight protections, yet ongoing studies suggest that many companies continue to fall behind when it comes to comprehensive vulnerability management.

The issue is compounded when organisations regularly start and shut down virtual machines, which can create security vulnerabilities that are available for compromise, but shut down within minutes or hours – long before another vulnerability scan is run.

Conflating this type of exposure with the perceived threat of malicious state-backed outsiders, Hackney warned, can keep information-security practitioners chasing shadows while other malware walks in the front door.

“If we have an incomplete view of our cyber exposure,” he asked, “why are we are as an industry focused on advanced persistent threats, and on looking for attacks from China and Russia? Bad actors will take the path of least resistance.”

Estimates of the prevalence of sophisticated nation-state attacks have varied widely, with a 2013 CyberArk survey finding that most executives believed nation-state attacks were a greater threat to their countries than physical attacks. And the Verizon Data Breach Investigations Report 2017 reported that 18 percent of analysed data breaches were conducted by state-affiliated actors.

“When you think about it, there is no other monetisation that’s occurring from these attacks,” he recently told CSO Australia. “Nation-state actors are not only pursuing cyber as an asymmetric weapon, but also for the economic disruption of other states’ economic capacity. Corporations need to understand that they’re literally on the front lines of this risk – and that they should expect that activity will increase.”

Yet even as vendors have rushed to patch vulnerabilities in the wake of reports of nation-state activity – Microsoft, for example, executed a particularly extensive Patch Tuesday in June for this purpose – others are stepping up their call for companies to keep some perspective on their biggest exposure.

“At the end of the day, cybersecurity really does tie back to some basic things that all organisations should be focused on,” ISACA CEO Matt Loeb recently told CSO Australia. “This includes good governance of their information and technology. Information security, as a function, has existed long before the technology.”

“And while we do have mindshare around cybersecurity, a lot of that is based around the risk and the fact that organisations are using legacy equipment and software that wasn’t designed with resilience in mind. We really have to pay attention to this, because the nefarious actors in the space are really well resourced.”

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.